Chat now with support
Chat with Support

Identity Manager 9.2.1 - Administration Guide for Privileged Account Governance

About this guide Managing a Privileged Account Management system in One Identity Manager Synchronizing a Privileged Account Management system
Setting up the initial synchronization of a One Identity Safeguard Customizing the synchronization configuration for One Identity Safeguard Running synchronization Tasks following synchronization Troubleshooting Ignoring data error in synchronization Pausing handling of target system specific processes (Offline mode)
Managing PAM user accounts and identities Managing assignments of PAM user groups Login credentials for PAM user accounts Mapping PAM objects in One Identity Manager
PAM appliances PAM user accounts PAM user groups PAM assets PAM asset groups PAM asset accounts PAM directory accounts PAM account groups PAM directories PAM partitions PAM entitlements PAM access request policies Reports about PAM objects
PAM access requests Handling of PAM objects in the Web Portal Basic data for managing a Privileged Account Management system Configuration parameters for managing a Privileged Account Management system Default project template for One Identity Safeguard Editing One Identity Safeguard system objects One Identity Safeguard connector settings Known issues about connecting One Identity Safeguard appliances

About this guide

The One Identity Manager Administration Guide for Privileged Account Governance describes how you set up synchronization of One Identity Safeguard with One Identity Manager. You will discover, which user accounts, user groups, assets, asset groups, accounts, account groups, directories, entitlements, and access request policies of a Privileged Account Management system are mapped in One Identity Manager.

This guide is intended for end users, system administrators, consultants, analysts, and any other IT professionals using the product.

NOTE: This guide describes One Identity Manager functionality available to the default user. It is possible that not all the functions described here are available to you. This depends on your system configuration and permissions.

Available documentation

You can access One Identity Manager documentation in the Manager and in the Designer by selecting the Help > Search menu item. The online version of One Identity Manager documentation is available in the Support portal under Technical Documentation. You will find videos with additional information at www.YouTube.com/OneIdentity.

Managing a Privileged Account Management system in One Identity Manager

One Identity Manager offers simplified user account administration for a Privileged Account Management system. One Identity Manager concentrates on setting up and editing user accounts and assigning the user accounts to user groups. Through their user groups, the user accounts receive the required entitlements, for example, for requesting a password for an asset account or a session for the accounts and assets in the Privileged Account Management system. The assignment of entitlements to user groups is not performed in One Identity Manager but in the Privileged Account Management. User groups and requests for passwords and sessions can be requested through the Web Portal.

One Identity Manager provides company identities with the necessary user accounts. There are different ways for you to connect identities to their user accounts. You can also manage user accounts independently of identities and thus set up administrator user accounts.

The user accounts, user groups, assets, asset groups, accounts, account groups, directories, entitlements, and access request policies of a One Identity Manager systems are mapped in Privileged Account Management. These objects are imported into the One Identity Manager database during synchronization. This makes it possible to use Identity and Access Governance processes such as attesting, identity audit, user account management and system entitlements, IT Shop, or report subscriptions for Privileged Account Management systems.

NOTE: The Privileged Account Governance Module must be installed as a prerequisite for managing Privileged Account Management systems in One Identity Manager. For more information about installing, see the One Identity Manager Installation Guide.

Architecture overview

To access the data of a Privileged Account Management system, a connector for the Privileged Account Management system is installed on a synchronization server. The synchronization server ensures data is compared between the One Identity Manager database and the Privileged Account Management system.

One Identity Manager supports synchronization with One Identity Safeguard. The One Identity Safeguard connector of the One Identity Manager uses PowerShell for communication with the One Identity Safeguard appliance.

One Identity Manager users for managing Privileged Account Management

The following users are included in setting up and administration of Privileged Account Management.

Table 1: Users

Users

Tasks

Target system administrators

Target system administrators must be assigned to the Target systems | Administrators application role.

Users with this application role:

  • Administer application roles for individual target system types.

  • Specify the target system manager.

  • Set up other application roles for target system managers if required.

  • Specify which application roles for target system managers are mutually exclusive.

  • Authorize other identities to be target system administrators.

  • Do not assume any administrative tasks within the target system.

Target system managers

Target system managers must be assigned to the Target systems | Privileged account management application role or a child application role.

Users with this application role:

  • Assume administrative tasks for the target system.

  • Create, change, or delete target system objects.

  • Edit password policies for the target system.

  • Prepare groups to add to the IT Shop.

  • Can add identities that do not have the Primary identity identity type.

  • Configure synchronization in the Synchronization Editor and define the mapping for comparing target systems and One Identity Manager.

  • Edit the synchronization's target system types and outstanding objects.

  • Authorize other identities within their area of responsibility as target system managers and create child application roles if required.

  • Authorize identities as owners of privileged objects within their area of responsibility.

One Identity Manager administrators

One Identity Manager administrator and administrative system users Administrative system users are not added to application roles.

One Identity Manager administrators:

  • Create customized permissions groups for application roles for role-based login to administration tools in the Designer as required.

  • Create system users and permissions groups for non role-based login to administration tools in the Designer as required.

  • Enable or disable additional configuration parameters in the Designer as required.

  • Create custom processes in the Designer as required.

  • Create and configure schedules as required.

  • Create and configure password policies as required.

Product owner for the IT Shop

Product owners must be assigned to the Request & Fulfillment | IT Shop | Product owners application role or a child application role.

Users with this application role:

  • Approve through requests.

  • Edit service items and service categories under their management.

The Request & Fulfillment | IT Shop | Product owner | PAM user groups is used when local PAM user groups are automatically added to the IT Shop.

Owners of privileged objects

Owners of privileged objects, such as PAM assets, PAM asset accounts, PAM directory accounts, PAM asset groups, and PAM account groups must be assigned to an application role under the Privileged Account Governance | Asset and account owners application role.

Users with this application role:

  • Make decisions about requesting access requests for privileged objects.

  • Attest the possible user access to these privileged objects.

Administrators for the IT Shop

Administrators must be assigned to the Request & Fulfillment | IT Shop | Administrators application role.

Users with this application role:

  • Assign groups to IT Shop structures.

Administrators for organizations

Administrators must be assigned to the Identity Management | Organizations | Administrators application role.

Users with this application role:

  • Assign groups to departments, cost centers, and locations.

Business roles administrators

Administrators must be assigned to the Identity Management | Business roles | Administrators application role.

Users with this application role:

  • Assign groups to business roles.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating